How Should a Company Handle a Ransomware Attack? (itwire.com) 68
ITWire reports on how Norwegian firm Volue Technology handled a ransomware attack that began on May 5th:
The company has set up a Web page with information about the attack and also links to frequent updates about the status of its systems. There was no obfuscation about the attack, none at all. The company said: "The ransomware attack on Volue Technology ('Powel') was caused by Ryuk, a type of malware usually known for targeting large, public-entity Microsoft Windows systems."
What is even more remarkable about this page is that it has provided the telephone number and email address of its chief executive, Trond Straume, and asked for anyone who needs additional information to contact him. Not some underling.
ITWire argues this response "demonstrated to the rest of the world how a ransomware attack should be handled."
What is even more remarkable about this page is that it has provided the telephone number and email address of its chief executive, Trond Straume, and asked for anyone who needs additional information to contact him. Not some underling.
ITWire argues this response "demonstrated to the rest of the world how a ransomware attack should be handled."
For starters... (Score:5, Insightful)
...by firing the CEO and the board for incompetence.
Re: (Score:2)
...by firing the CEO and the board for incompetence.
The CEO is just a figurehead. He doesn't make the decisions and isn't involved in actually running the company.
If he was busy running things, he wouldn't have time to field phone calls and chat with random strangers.
For starters... (Score:2)
Re: (Score:2)
...by firing the CEO and the board for incompetence.
Oh, yes, the American way of fixing problems - firing people as an example. Too bad it rarely works.
Re: (Score:1)
Re: (Score:2)
7% of all ransomware attacks are against MacOS, which may not sound like much until you remember that MacOS has around 9% of the desktop market, so its averaging as expected. (7% of all ransomware attacks, so this includes Windows, Linux, Android, iOS, etc...)
"Hello . . . ? Is that you, Vlad . . . ?" (Score:1)
What is even more remarkable about this page is that it has provided the telephone number and email address of its chief executive, Trond Straume, and asked for anyone who needs additional information to contact him.
They should have posted Putin's telephone number and email address, so folks could go directly to the root cause of the ransomware.
Pretty sure I know the /. answer to this (Score:5, Funny)
1. Publicly execute the board members, CEO, CIO, CTO, and CISO
2. Take the payment money for the ransom and distribute to the IT staff
3. Shut the company down.
Yes and no (Score:4, Insightful)
Transparency is good and all, but giving the CEO's phone number out is just stupid. Sitting and talking PR to newspapers is not what executives are supposed to focus on during a crisis. This isn't some fly by night company. There are 600 employees, and I'm willing to bet you that at least one of them is a PR person.
This may sound like an ideal response from the public's point of view, but much like bp admitting partial fault and saying it will fund the cleanup in the gulf things like this will likely end up in textbooks as what not to do.
Comment removed (Score:5, Insightful)
Re: (Score:2)
The CEO is not supposed to be sitting in the room as the tech guys trying to fix the problem.
I didn't say it was, there's a shitton more to handling a company wide crisis than a bunch of IT people sitting in a basement.
Likewise the CEO's job is not to sit around and answer the phone to every person who has a question about what was posted on the website. That absolutely is a bad use of their time. Their job is to give direction, and precisely during a crisis that direction changes *very* rapidly.
From your response I gather you've not seen what the C-level executives do in a high profile emergency,
Re: (Score:2)
Re: Yes and no (Score:2)
Re: (Score:2)
Re: (Score:2)
Where did the GP say the CEO should "sit around and answer the phone to every person who has a question about what was posted on the website?" Are you unable to understand moderation? Why take it to such an extreme?
So in that respect, fielding the calls isn't a bad use of the CEO's time.
The reality is someone has to answer a phone in order to find out if its worth talking to someone so there's nothing extreme about the CEO's phone line being permanently lit up even if all it does is burn out his executive assistant.
In any case a bad use of their time. Nothing extreme about it.
Re: (Score:2)
The reality is someone has to answer a phone
Our CEO is Lenny.
Re: (Score:2)
I didn't say it was.
Technically correct. You didn't say anything. You simply complained. So no critique of your comment would be valid.
Their job is to give direction,
The job of the CEO is not to micro-manage. In a crisis, if they need to personally "give direction", then the company is either 5 person, or the CEO is incompetent.
From your response I gather you've not seen what the C-level executives do in a high profile emergency, and it doesn't get more high profile than your entire IT infrastructure collapsing.
I've been there for that. The CIO was in every meeting, and asked few questions, and gave exactly zero direction. The CEO drove in after hours, and literally hid in his office, waiting for the CIO to update him, and I only knew
Re: (Score:3)
In my opinion, the absolute number 1 step in security is having the "right people" and giving them the resources they need to do their job and to do it right.
All of the technical implementation details should then sort of trickle down from there. This often means having people onsite in-house that knows the systems inside and out.
Unfortunately, is is still too often the trend that CEOs or other higher-ups don't see IT as "profitable" so they give it
Transparency is a great starting point (Score:3)
Now we need to put companies on notice not to pay ransom and notify the appropriate authorities so they can take measures - by force of law, if necessary.
Be prepared? (Score:5, Insightful)
I feel like this is fairly straightforward. Expect to be attacked, know in advance what files and systems you expect would end up under encryption during a ransomware attack and have a plan to restore those to a safe point. It seems like with most things if you don't simulate, prepare and have an emergency plan before you get attacked than you are already screwed when you do.
Can talk about MS vs Linux, pay vs don't pay all you want but ransomware kind of should be treated like a natural disaster and either you are prepared ahead of time for it or you're not. Make that plan of the assumption of a successful attack first and after that start to work through the ways you stop the attack knowing they can never be 100% effective.
Re:Be prepared? (Score:5, Informative)
The question of “restore to what” and “what about our sensitive information leaking out” go beyond a good backup plan— ransomware response is very much in the “Disaster Recovery” realm rather than a more simple backup/restore routine.
I used to work with a bank that did actual disaster recovery drills once every three years, turning a warehouse into a datacenter with rental mainframe equipment. I don’t know of many organizations that go to those lengths today— everybody thinks they are hardened by design or some similar BS.
Re:Be prepared? (Score:4, Insightful)
Another friend used to work for Big Blue doing disaster recovery proof testing for what used to be the AS/400 series and whatever it was called afterwards. They would build duplicates of whatever your equipment was, then you would come over with your tapes and attempt a restore and test. So some people do take this seriously.
Some people don't know how to read questions... (Score:1)
Restore from back ups and install all updates (Score:2)
Re: (Score:2)
Quite frankly, ANY Windows box should be treated as if it were running Windows 98. (zero security, and software that loves to suck untrusted crap from everywhere).
Updates are part of the security equation, but they should NEVER be relied upon blindly. Too often, updates can actually introduce security issues or wreck system stability. Modern software is so insanely complicated and bloated, it should ALWAYS be assumed to have bugs and vulnerabilities.
If the bad guy can't get (directly or indirectly) to your
They should have handled it ahead of time (Score:5, Insightful)
Step 1, tested backups going back sufficiently far to be useful.
Step 2, don't negotiate. You're going to be targeted by the next guy as well if they know you are a cash machine.
Step 3, if you are in charge of critical infrastructure, fundamentally separate your business network from your operational network. Do not store passwords for your op net online, period. Use one-way links for monitoring, such that it should be irrelevant even if they have your passwords.
Re: (Score:3)
Step 2, don't negotiate. You're going to be targeted by the next guy as well if they know you are a cash machine.
On the contrary, other actors will reasonably conclude that after you've been attacked, regardless of whether you paid out or not, your security and backups will be receive far more attention and so they should move along and simply find the next shop that views IT as a cost center.
Re: (Score:3)
Step 2, politicians are cheap, buy some
There is no Step 3
Re: They should have handled it ahead of time (Score:3)
Step 3, if you are in charge of critical infrastructure, fundamentally separate your business network from your operational network. Do not store passwords for your op net online, period. Use one-way links for monitoring, such that it should be irrelevant even if they have your passwords.
They have to be entirely separate networks, or we always have to assume if the front office is being held hostage it might not be for the ransom, it's cover to rob the back office systems. Anytime our work is disrupted by an attack or compromise on one part of the network we have to assume it's possibly cover for a deeper breach. I don't think most business can operate like that with airgapped networks so there's always going to be a point where if a breach is significant enough, like IT is denied access
Re: (Score:2)
But do not act like the operational network is impervious. Air gaps can be breached way too easy, so ensure that if the main network is breached, the operational network is breached as well and shut it down. It only takes one mistake and you can accidentally compromise the secure network, so ensure the first thing done is to shut it all down.
And don't assume - assume the secure
By demanding cryptocurrencies be made illegal (Score:1)
Re: (Score:2)
Easier to leave a paper trail if it goes from bank to bank, and you have a company you can apply the thumbscrews to.
the IT should be (Score:2)
1 capable IT that is aware of social engineering 2, redunda
Restore from backups (Score:3)
Apologize profusely for the downtime.
Don't post CxO phone numbers.
Do. Not. Pay.
Stop giving executives admin privileges (Score:2)
Re: (Score:3, Insightful)
As a founder/CEO I don't dictate much to my IT people, but what I do dictate is that nobody, and I mean nobody (not even the IT staff) are allowed to operate from an account with admin permissions. People who need admin rights have the ability to elevate when they need to, but I'll be damned if people are walking around logged in as an admin user all the time.
This is easy to prevent (Score:2)
Separate networks/servers for email and file storage. Block email attachments. Distribute files through a shared drive. Block usb drives. This will probably resolve 90% of the issues.
"data not restored!" (Score:5, Interesting)
1) Other companies will be less inclined to actually pay, "since the data won't come back anyway".
2) The criminals now think their fellows made off with the prize. Possibly/hopefully hilarity ensues.
In the least, they may need more inclined to rat each other out.
This requires it not be illegal to pay ransom.
Re:"data not restored!" (Score:5, Interesting)
they should always claim they paid the money in full
What happens when one attempts to spend the same Bitcoin twice? Theoretically, the block chain should prevent that. So the ransom victim opens an anonymous Bitcoin address and pays the ransom into their own wallet. Then sends it to the attackers. Attackers detect that 'someone' has received payment first. "Sorry guys. One of your people sent us that other address first. So we paid." Attacker demands another payment. Rinse and repeat. Eventually you, the victim, demand that they conduct a purge of their organization first. So payments don't get side tracked.
Now you break out the popcorn and lawn chair.
Re: "data not restored!" (Score:1)
And that's how you get all your stupid backupless data overwritten by /dev/random. Or worse: Unencrypted while a backdoor is kept to *really* fuck you up for good. (Example: CEO caught with child porn, business secrets leaked, employees in a SJW battle, board caught financing terrorist for the last 3 years. All things I could easily do with full access to a business network and the darknet. Ane judges really fall in love with nice old logs and messages going back years. As if it was to hard to create them.
Re: (Score:2)
And that's how you get all your stupid backupless data overwritten by /dev/random.
By whom? The survivors of the purge? By the time the bodies start piling up, local police can trace back through known associates and round up the living.
At any rate, we were not going to pay anyway. Systems are down, so we just unplugged the network feed. Good luck sending an erase command or CP to a pile of hard drives sitting in a forensic/data recovery firm.
Prepare, then mitigate (Score:2)
1) Keep backups of all data that needs to be preserved.
2) If an incursion occurs, prepare a cleaned up system, and restore the data from the last backup.
Re: (Score:2)
Re: (Score:2)
Presumably, the backup process mounts cloud storage or the backup device, performs an incremental backup on the data, and then umounts the storage.
How do you propose for the attacker to find how or where the backups are stored if they are not mounted at the time?
Wrong Question (Score:2)
Use the right product (Score:1)
Re: Here's the process that will work (Score:1)
Smart breakers you say? *grins in IoT hacker*
Going to look out for exploits on those from now on. :)
Don't pay the Danegeld. (Score:2)
To call upon a neighbour and to say:--
"We invaded you last night â" we are quite prepared to fight,
Unless you pay us cash to go away."
And that is called asking for Dane-geld,
And the people who ask it explain
That you've only to pay 'em the Dane-geld
And then you'll get rid of the Dane!
It is always a temptation for a rich and lazy nation,
To puff and look important and to say: --
"Though we know we should defeat you,
we have not the time to meet you.
We
Step 1: (Score:3)
Do not pay the ransom. There needs to be fines doled out for this, preferably twice that of the ransom itself.
Re: (Score:2)
I would like to see actual jail time for being involved in paying a ransom. Then and only then will the payment of ransom's stop. When the payment of ransom's stops asking for ransom's will stop too. Ideally if all G7 and EU members implemented this it would have and even bigger impact.
I would also like to see countries that refuse to extradite their citizens for being involved in ransomware attacks cut off from the western banking system.
Prevent it. (Score:2)
By making periodic, frequent backups that is projected with a different set of keys.
Do not negotiate with terrorists (Score:2)
1. Contact your local or State agency handling Cyber attacks.
2. Instead of paying up, offer a bounty for the demasking or neutralizing the hacker group along with the key at 15% of the ransom payable in bitcoin.
Simple (Score:3)
The whole world now knows... my son, Sean Mullen, was kidnapped, for ransom, three days ago. This is a recent photograph of him. Sean, if you're watching, we love you. And this... well, this is what waits for the man that took him. This is your ransom. Two million dollars in unmarked bills, just like you wanted. But this is as close as you'll ever get to it. You'll never see one dollar of this money, because no ransom will ever be paid for my son. Not one dime, not one penny. Instead, I'm offering this money as a reward on your head. Dead or alive, it doesn't matter. So congratulations, you've just become a two million dollar lottery ticket... except the odds are much, much better. Do you know anyone that wouldn't turn you in for two million dollars? I don't think you do. I doubt it. So wherever you go and whatever you do, this money will be tracking you down for all time. And to ensure that it does, to keep interest alive, I'm running a full-page ad in every major newspaper every Sunday... for as long as it takes. But... and this is your last chance... you return my son, alive, uninjured, I'll withdraw the bounty. With any luck you can simply disappear. Understand... you will never see this money. Not one dollar. So you still have a chance to do the right thing. If you don't, well, then, God be with you, because nobody else on this Earth will be.